DKIM/SPF inbound filtering examples

Unanswered Question
Nov 30th, 2009

Hi All,

I was wondering if anyone can post examples of their DKIM and SPF filtering on their inbound mail flows that I might be able to look at. It would seem that all the filters I have attempted puts a lot of legitimate mail into the quarantine and has little to no effect on the spam side.


Help???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andrew Wurster Wed, 12/02/2009 - 20:55

what we need from you:

- sample message (attached as rfc822 copy)
- your filter syntax (click rules view for a paste-able text-friendly output)
- config.xml file (attached if possible)
- an overview of what you're trying to accomplish

andrew

Geosoft_ironport Thu, 12/03/2009 - 19:32

Hi Andrew,

I'm just looking for generalized filtering people are doing for SPF and DKIM. Right now we have not implemented any filtering at this time, because mailing lists breaks DKIM and some network administrators haven't paid attention to their SPF policies.

While we have set everything we need on the outbound traffic, I was just wondering how people are dealing with these items on the inbound... or if anyone is actually monitoring DKIM and SPF on the inbound at all.

So, I guess I'm looking for best practices or examples on how people are implementing these items on their Ironports.

thatbloke_ironport Thu, 12/03/2009 - 22:41

We have a simple 'logging only' rule:

SPF_Fail: if (spf-status == "fail") { deliver(); } 


This doesn't affect deliverability of messages, but gives us an idea of how many SPF failures we are getting on inbound mail. We have a similar filter for DKIM failures.

Currently we don't have enough faith in these systems to employ them as an anti-spam measure (but at least we know what the impact would be if we started blocking based on failures). Besides, using Senderbase scoring and CASE is working just fine at the moment.
frederic.lens Tue, 12/08/2009 - 15:43

Hi all,
On our side, we Quarantine mails which fail SPF or DKIM validation.
Don't know about the code, but in the GUI it looks like this :

Conditions
Apply rule:
Order Condition Rule Delete
1 DKIM Authentication dkim-authentication == "hardfail"
2 SPF Verification spf-status == "fail"

Actions
Order Action Rule Delete
1 Add Header insert-header("X-Ironport-Quarantine", "Quarantine")

Statistically, we have quarantined 1438 mails using this content filter over the last month (total mail traffic was over 4.4M mails, with 84% blocked at SMTP level by the reputation filter)

Hope it helps !
Fred

Actions

This Discussion